Identity security and AI governance: what third-party risk changes

TL;DR: Identity security is being pulled toward business continuity, compliance and digital transformation as cloud adoption, third-party risk and autonomous agents expand the access surface, according to SailPoint and KPMG. The governance problem is no longer just access management, but whether organisations can prove the right access exists at the right time across people, vendors and AI-driven actors.

NHIMG editorial — based on content published by SailPoint: Identity security, AI governance and third-party risk

By the numbers:

• 60% of breaches are identity-based and a significant portion involve third parties.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

Questions worth separating out

Q: How should security teams govern third-party access in hybrid identity environments?

A: They should treat third-party access as a lifecycle-managed identity domain, not a one-time onboarding event.

Q: Why do autonomous agents complicate identity governance?

A: Autonomous agents complicate identity governance because they can make runtime access decisions and use permissions without a human operator pausing to review each step.

Q: What do organisations get wrong about right-time access?

A: They often treat right-time access as a provisioning problem instead of a governance state.

Practitioner guidance

• Inventory third-party identities by business purpose Create a complete register of vendor, contractor and partner identities, including application scope, owning team and offboarding trigger.
• Define AI agent access as task-scoped lifecycle state Require a named owner, explicit approval path and retirement condition for each agent that can access sensitive data or tools.
• Reduce standing privilege across hybrid platforms Review roles, API tokens and delegated accounts for access that persists beyond the actual task window.

What's in the full article

SailPoint's full blog covers the operational detail this post intentionally leaves for the source:

• The interview discussion on how KPMG frames identity as a business continuity and compliance issue across hybrid environments.
• The practical implications of AI-driven identity tooling versus governing autonomous agents that need sensitive data access.
• The partnership context between SailPoint and KPMG for different sectors, including universities, banks and healthcare organisations.
• The source video discussion that expands on third-party risk, platform integration and identity transformation planning.

👉 Read SailPoint's conversation with KPMG on identity security, AI governance and third-party risk →

Identity security and AI governance: what third-party risk changes?

Explore further

View Full Forum →  |  NHI Foundation Course →